Preauth mechanism provision in MIT kerberos

Mike Dopheide dopheide at ncsa.uiuc.edu
Wed Jul 18 09:11:57 EDT 2007


For an existing principal you can enable preauth from kadmin with:

modprinc +requires_preauth principalname

I don't know of a way to enable preauth globally aside from setting it 
for each principal.

-Mike

Gopal Paliwal wrote:
> Hi Friends,
> 
> Recently I set up the whole kerberos system using MIT kerberos 1.6.1. When I
> run the kinit command i observe the results on ethereal.
> Following is my observation:
> $>kinit <username>
> I observe that as soon as I enter above command, ethereal captures 2 packets
> namely KRB5_AS_REQ and KRB5_AS_RES. After that I type pasword at my end to
> whuch is used to decrypt the session key(between TGS & Client), I get in
> response.
> 
> I assume that for the above case "pre-auth mehanism" in kerberos is not
> activated. Even when I look at the code & RFC, I observe that preauth
> mechanism is optional.
> 
> I wish to activate this mechanism for my set-up so that the password
> generated key will be used to encrypt the time-stamp at the client side and
> this encrypted stamp will be carried by the KRB5_AS_REQ to authentication
> server.
> That means I should see above message flow on the ethereal only when the
> user types both its username and password for kinit command.
> 
> Could any one tell me how do I activate this preauth mechanism in my
> kerberos if my above assumption is on the correct track. And also point out
> the files I need to change to activate this mechanism.
> 
> Thanks in advance.
> 
> Regards,
> Gopal Paliwal
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 



More information about the Kerberos mailing list